October 2017

Why SME manufacturers should be worried about cyber security

Nigel Mackie, Head of Cyber Security Business Development, recorded a podcast with the EEF’s Martin Strutt to discuss why SME manufacturers should be worried about cyber security. In the podcast, Nigel mentioned ‘vectors of security’, which are ways your electronic systems can be attacked – in other words, your business’ cyber vulnerabilities.

Threat vectors can vary widely in terms of purpose and the attacker. Here are just a few examples:

An employee taking a hard drive or downloaded data with them to a competitor for compensation or a new job

An employee making a change to a factory machine or system that unintentionally creates a vulnerability

A hacker steals customer data, such as on the company website as what happened with the TalkTalk hack

A foreign government or malicious individual/organisation engaging in industrial or inter-governmental warfare through cyberattacks on particular supply chains, infrastructure or industrial facilities

In fact, Nigel gave an alarming example, saying, “Cyber warfare sounds a little bit Hollywood, but 20 nations have openly declared they are building offensive cyber capability. That means they will be essentially using hacking to exploit vulnerabilities in critical national infrastructure and industrial control systems and then exploit them in the future. For example, when Russia attacked the Ukraine, they switched the power off in something called BlackEnergy. So this is the future we face.”

And it isn’t just large companies, utilities or governments that should be worried about cyber security when it comes to the warfare of the future. This threat can affect even those lower down on the supply chain.

Nigel explains, “If an SME that made bolts was attacked and their CAD drawings were changed. Then those bolts are supplied into a military aircraft and the attacker knew exactly what tolerances could be affected on those bolts to Cause the aircraft windscreen to popout at a particular speed and altitude. That’s what could happen.”

Steps to becoming digitally secure

Nigel explains that 80% of cyber security can be taken care of with simple best practices, such as ensuring passwords are changed regularly, aren’t written down and aren’t easy to guess. Customer information should be stored on two servers rather than just the web server and all stored data should be encrypted. He also says when MASS visits companies, most have many more digital ‘assets’ than they realise. This can include having subcontractors that have access to sub-systems, they have installed unbeknownst to most people at the company.

In terms of training, Nigel recommends running a disaster recovery workshop to ensure the issues have been thought through and the organisation knows what to do in the event of a cyber attack. Many do this for fire and floods but a cyber attack is far more likely and you will be surprised just how many issues these workshops raise for half a day of senior team effort, a good workshop will give you the plan as an output.

The business case for security

For some companies, cyber security has not been a priority, but this is increasingly a business critical issue. Here are just a few of the ways cyber security impacts the bottom line:

With stringent new data protection regulations (GDPR) coming into force in 2018, companies will be responsible for ensuring their customer data is secure (or receive significant fines).

Companies are already required to adhere to the government’s Cyber Essentials guide if they want to be a contractor for the Ministry of Defence. Expect to see similar supply chain requirements for other sectors of government and infrastructure as well as major companies in aerospace, automotive and beyond.

Audits and cyber security certification (such as Cyber Essentials Plus or DCPP) will increasingly become expected practice for most companies. Nigel of MASS says that when they conduct audits for companies, about 85% fail between Cyber Essentials and Cyber Essentials Plus. Chances are, your company has room to improve.

During merger and acquisition discussions, a company without a strong cyber security, risk assessment and recovery plan will be valued at very low

To listen to Martin and Nigel discuss cyber security in UK manufacturing in their podcast, click here.